Software Composition Analysis

Integrate Software Composition Analysis (SCA) tools like Semgrep and Snyk to enrich runtime vulnerability findings with source code context, enabling faster and more accurate remediation.

Introduction

Sysdig’s Software Composition Analysis (SCA) integrations connect findings from your SCA tools, such as Semgrep and Snyk, with runtime vulnerability data discovered by Sysdig Secure. This integration enriches runtime package vulnerabilities with crucial source code context, directly addressing the core value proposition: SCA + Runtime Context = Enhanced Risk Understanding & Remediation.

By linking a runtime vulnerability back to its origin in the source code, teams can significantly accelerate triage, pinpoint ownership, and apply the correct fix efficiently.

Benefits and Use Cases

Combining SCA insights with Sysdig’s runtime data provides a clearer, more actionable path to reducing risk observed in your production environments.

Faster Root Cause Analysis (The “WHERE”)

Link runtime vulnerabilities back to the source context to immediately understand their origin.

  • For Security Teams: When investigating a runtime vulnerability, you can instantly see the associated source code repository and the specific dependency file (e.g., package.json, pom.xml) where the vulnerable package was declared. This provides a clear line of sight from runtime risk back to the codebase.
  • For Developers and Engineers: When tasked with fixing a vulnerability, the source repository and file path are readily available. This eliminates guesswork and allows you to rapidly locate the specific code requiring modification.

Better Fix Recommendations (The “HOW”)

Provide actionable remediation guidance directly from SCA data.

  • For Developers and Engineers: Sysdig displays the specific, recommended safe version(s) to upgrade a vulnerable package to. This ensures you can efficiently apply the correct fix without spending time researching solutions. Links to relevant patch information or remediation advice are also provided for clear, actionable steps.
  • For Security Teams: When assessing a runtime vulnerability, seeing the recommended fix version helps security teams understand the remediation path and effort required, facilitating better communication and planning with development teams.

Process Overview

The integration works by correlating runtime findings with data ingested from your configured SCA tool. This correlation is made possible by a specific label on your container images.

  1. Configure the Integration: An administrator connects Sysdig Secure to your SCA provider (Semgrep or Snyk).
  2. Label Your Images: During your CI/CD build process, you must add the org.opencontainers.image.source label to your container images. This label tells Sysdig which source repository the image was built from.
  3. View Enriched Findings: Sysdig scans your running images. When a vulnerability is found in a package, Sysdig uses the image label to query the connected SCA tool for context about that package in the corresponding source repository. The runtime finding is then automatically enriched with details like the recommended fix version and the dependency file path.

Prerequisite: Linking Source to Runtime

To enable the correlation between runtime assets and source code, you must add a Docker label to your images at build time. This allows Sysdig to identify the source repository associated with a running container.

To correlate, the org.opencontainers.image.source label is required.

Docker labels can be added in two ways:

  • In source code, by adding a LABEL statement to your Dockerfile.
  • In your build pipeline, using the --label parameter of the docker build command.

Example:

You can add the required label either directly in your Dockerfile or during the build process.

Add the LABEL instruction to your Dockerfile.

FROM nginx:latest

LABEL org.opencontainers.image.source="https://github.com/${{ github.repository }}"

Set up an SCA Integration

  1. Log in to Sysdig Secure as an administrator and select Integrations > Software Composition Analysis.
    • If no integration has been added, the page is empty.
    • If integrations already exist, a list is displayed showing the Integration Name, Type (Semgrep, Snyk), and Status.
  2. Click Add SCA Integration.
  3. Select the relevant integration type from the drop-down and complete the configuration.

Semgrep

The Semgrep integration requires an API token with specific permissions.

Create the API Token in Semgrep

  1. Log in to your Semgrep account.
  2. Navigate to Settings > Tokens.
  3. Under API Tokens, click Create new token.
  4. In the pop-up window, enable the following scopes for the token:
    • Agent CI
    • Web API
  5. Record your API token and store it in a safe place. You will not be able to see it again after closing the window.
  6. Click Save.

Configure in Sysdig

  1. From the Add SCA Integration page, choose Semgrep.
  2. Enter a unique Integration Name to identify this connection.
  3. Enter your Semgrep Organization Name. You can find this in your Semgrep URL (e.g., semgrep.dev/manage/my-org).
  4. Enter the API Token you created in the previous steps.
  5. Click Test Connection to validate the credentials.
  6. Upon a successful test, click Add Integration.

Snyk

The Snyk integration uses OAuth2 for a secure, browser-based authorization flow. You do not need to manually create or manage API tokens.

Snyk EU Region Limitations

Due to differences in the Snyk API for the EU region, some enrichment data may not be available for EU-based customers. This can include fields such as remediation advice, cvss_score, and whether a fix is patchable.

Configure in Sysdig

  1. From the Add SCA Integration page, choose Snyk.
  2. Enter a unique Integration Name to identify this connection.
  3. Enter your Snyk Organization ID. This can be found in your Snyk organization’s settings URL.
  4. Click Connect to Snyk. You will be redirected to the Snyk website in a new browser tab.
  5. Log in to Snyk if you are not already.
  6. A Snyk page will ask you to authorize Sysdig to access your resources. Review the permissions and click Authorize.
  7. Upon successful authorization, you will be redirected back to the Sysdig Secure UI. The connection will be finalized automatically. The status should show as Active.

Validate the Integration

Once an integration is configured, its status will appear in the Software Composition Analysis integrations list.

  • Status: The status should be Active, indicating a successful connection between Sysdig Secure and your SCA provider. If there is an error, review your configuration details and credentials.
  • Viewing Enriched Data: Validation is confirmed by observing the enriched data in your runtime vulnerability findings. Navigate to Vulnerabilities > Findings, and select a vulnerability associated with an image that has the org.opencontainers.image.source label. It may take up to 24 hours for the enriched data to appear.

In the vulnerability details, you will now see new fields populated with data from your SCA tool:

  • Repository, URL, Branch, Commit: Pinpoints the exact location in your source code where the vulnerable package originates, including the repository name, clone URL, branch, and specific commit hash.
  • File Path: Shows the path to the manifest file (e.g., package.json) that declares the vulnerable dependency.
  • Remediations: Provides actionable suggestions from the SCA tool, such as the safe version to upgrade to.
  • Vendor Links: Offers direct links to the SCA provider’s resources, such as their knowledge base or a specific issue tracker for the vulnerability, for deeper investigation.